diff --git a/docs/guide/coverage/language/julia.md b/docs/guide/coverage/language/julia.md index 3c4446c12e..8e8bb17a30 100644 --- a/docs/guide/coverage/language/julia.md +++ b/docs/guide/coverage/language/julia.md @@ -7,7 +7,7 @@ The following scanners are supported. | Package manager | SBOM | Vulnerability | License | |-----------------|:----:|:-------------:|:-------:| -| Pkg.jl | ✓ | - | - | +| Pkg.jl | ✓ | ✓ | - | The following table provides an outline of the features Trivy offers. diff --git a/docs/guide/references/configuration/cli/trivy_filesystem.md b/docs/guide/references/configuration/cli/trivy_filesystem.md index d76fc6c425..0d75fbf8a3 100644 --- a/docs/guide/references/configuration/cli/trivy_filesystem.md +++ b/docs/guide/references/configuration/cli/trivy_filesystem.md @@ -171,6 +171,7 @@ trivy filesystem [flags] PATH - chainguard - bitnami - govulndb + - julia - echo - minimos - rootio diff --git a/docs/guide/references/configuration/cli/trivy_image.md b/docs/guide/references/configuration/cli/trivy_image.md index c2673db3dc..f76f4980a5 100644 --- a/docs/guide/references/configuration/cli/trivy_image.md +++ b/docs/guide/references/configuration/cli/trivy_image.md @@ -192,6 +192,7 @@ trivy image [flags] IMAGE_NAME - chainguard - bitnami - govulndb + - julia - echo - minimos - rootio diff --git a/docs/guide/references/configuration/cli/trivy_kubernetes.md b/docs/guide/references/configuration/cli/trivy_kubernetes.md index 81a578bee5..51064cd3d1 100644 --- a/docs/guide/references/configuration/cli/trivy_kubernetes.md +++ b/docs/guide/references/configuration/cli/trivy_kubernetes.md @@ -180,6 +180,7 @@ trivy kubernetes [flags] [CONTEXT] - chainguard - bitnami - govulndb + - julia - echo - minimos - rootio diff --git a/docs/guide/references/configuration/cli/trivy_repository.md b/docs/guide/references/configuration/cli/trivy_repository.md index 2e24d744f0..ebd99012e6 100644 --- a/docs/guide/references/configuration/cli/trivy_repository.md +++ b/docs/guide/references/configuration/cli/trivy_repository.md @@ -170,6 +170,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL) - chainguard - bitnami - govulndb + - julia - echo - minimos - rootio diff --git a/docs/guide/references/configuration/cli/trivy_rootfs.md b/docs/guide/references/configuration/cli/trivy_rootfs.md index e7cf370ae4..1221d5e134 100644 --- a/docs/guide/references/configuration/cli/trivy_rootfs.md +++ b/docs/guide/references/configuration/cli/trivy_rootfs.md @@ -172,6 +172,7 @@ trivy rootfs [flags] ROOTDIR - chainguard - bitnami - govulndb + - julia - echo - minimos - rootio diff --git a/docs/guide/references/configuration/cli/trivy_sbom.md b/docs/guide/references/configuration/cli/trivy_sbom.md index 23bc6dc025..a6091bb641 100644 --- a/docs/guide/references/configuration/cli/trivy_sbom.md +++ b/docs/guide/references/configuration/cli/trivy_sbom.md @@ -137,6 +137,7 @@ trivy sbom [flags] SBOM_PATH - chainguard - bitnami - govulndb + - julia - echo - minimos - rootio diff --git a/docs/guide/references/configuration/cli/trivy_vm.md b/docs/guide/references/configuration/cli/trivy_vm.md index b3698b5641..ab07822a46 100644 --- a/docs/guide/references/configuration/cli/trivy_vm.md +++ b/docs/guide/references/configuration/cli/trivy_vm.md @@ -156,6 +156,7 @@ trivy vm [flags] VM_IMAGE - chainguard - bitnami - govulndb + - julia - echo - minimos - rootio diff --git a/docs/guide/scanner/vulnerability.md b/docs/guide/scanner/vulnerability.md index 739c81471e..a89b9051e8 100644 --- a/docs/guide/scanner/vulnerability.md +++ b/docs/guide/scanner/vulnerability.md @@ -137,6 +137,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported | Dart | [GitHub Advisory Database (Pub)][pub-ghsa] | ✅ | - | | Elixir | [GitHub Advisory Database (Erlang)][erlang-ghsa] | ✅ | - | | Swift | [GitHub Advisory Database (Swift)][swift-ghsa] | ✅ | - | +| Julia | [Open Source Vulnerabilities (Julia)][julia-osv] | ✅ | - | [^1]: Intentional delay between vulnerability disclosure and registration in the DB @@ -426,13 +427,14 @@ Example logic for the following vendor severity levels when scanning an Alpine i [python-osv]: https://osv.dev/list?q=&ecosystem=PyPI [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io +[julia-osv]: https://osv.dev/list?q=&ecosystem=Julia [nvd]: https://nvd.nist.gov/vuln [k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/ [CVE-2023-32681]: https://nvd.nist.gov/vuln/detail/CVE-2023-32681 -[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520 +[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520 [ghsa]: https://github.com/advisories [requests]: https://pypi.org/project/requests/ [precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall diff --git a/go.mod b/go.mod index c80a0c57ec..e03ec67995 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/aquasecurity/testdocker v0.0.0-20250616060700-ba6845ac6d17 github.com/aquasecurity/tml v0.6.1 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 - github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a + github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-kubernetes v0.9.1 github.com/aws/aws-sdk-go-v2 v1.40.0 @@ -475,7 +475,6 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect google.golang.org/grpc v1.76.0 // indirect - gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect diff --git a/go.sum b/go.sum index 99cea5ae12..e3cae0bcdd 100644 --- a/go.sum +++ b/go.sum @@ -222,8 +222,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w= github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k= -github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a h1:Wmvjq3zQGsZ8Wlqh75zvujh7LZNTXU4YoEf8tyL1LoM= -github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a/go.mod h1:upAJqDQkN5FdIJbtJMpokncGNhYAPGkpoCbaGciWPt4= +github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727 h1:LawBOgOh1qrwcVTPPfZPwZkuRBIfl4IyCitnmdAjwe8= +github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727/go.mod h1:KL/C38wFKTREFgKSShT3DEmjNYSNXoYQ96wtQXRbnM8= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-kubernetes v0.9.1 h1:bSErQcavKXDh7XMwbGX7Vy//jR5+xhe/bOgfn9G+9lQ= @@ -1520,8 +1520,6 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk= -gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= diff --git a/mkdocs.yml b/mkdocs.yml index a8bea42c4e..328fd2c45b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -99,13 +99,13 @@ nav: - Elixir: guide/coverage/language/elixir.md - Go: guide/coverage/language/golang.md - Java: guide/coverage/language/java.md + - Julia: guide/coverage/language/julia.md - Node.js: guide/coverage/language/nodejs.md - PHP: guide/coverage/language/php.md - Python: guide/coverage/language/python.md - Ruby: guide/coverage/language/ruby.md - Rust: guide/coverage/language/rust.md - Swift: guide/coverage/language/swift.md - - Julia: guide/coverage/language/julia.md - IaC: - Overview: guide/coverage/iac/index.md - Ansible: guide/coverage/iac/ansible.md diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go index 20297a3925..a35e6ae144 100644 --- a/pkg/detector/library/driver.go +++ b/pkg/detector/library/driver.go @@ -83,8 +83,8 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) { eco = ecosystem.Kubernetes comparer = compare.GenericComparer{} case ftypes.Julia: - log.Warn("Julia is supported for SBOM, not for vulnerability scanning") - return Driver{}, false + eco = ecosystem.Julia + comparer = compare.GenericComparer{} default: log.Warn("The library type is not supported for vulnerability scanning", log.String("type", string(libType))) @@ -129,6 +129,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D vuln := types.DetectedVulnerability{ VulnerabilityID: adv.VulnerabilityID, + VendorIDs: adv.VendorIDs, // Any vendors have specific IDs, e.g. GHSA, JLSEC PkgID: pkgID, PkgName: pkgName, InstalledVersion: pkgVer, diff --git a/pkg/detector/library/driver_test.go b/pkg/detector/library/driver_test.go index fa4eb8a6ab..cfd8681d56 100644 --- a/pkg/detector/library/driver_test.go +++ b/pkg/detector/library/driver_test.go @@ -66,7 +66,10 @@ func TestDriver_Detect(t *testing.T) { }, want: []types.DetectedVulnerability{ { - VulnerabilityID: "CVE-2022-21235", + VulnerabilityID: "CVE-2022-21235", + VendorIDs: []string{ + "GHSA-6635-c626-vj4r", + }, PkgName: "github.com/Masterminds/vcs", InstalledVersion: "v1.13.1", FixedVersion: "v1.13.2", @@ -78,6 +81,34 @@ func TestDriver_Detect(t *testing.T) { }, }, }, + { + name: "julia package", + fixtures: []string{ + "testdata/fixtures/julia.yaml", + "testdata/fixtures/data-source.yaml", + }, + libType: ftypes.Julia, + args: args{ + pkgName: "HTTP", + pkgVer: "1.10.16", + }, + want: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2025-52479", + PkgName: "HTTP", + InstalledVersion: "1.10.16", + FixedVersion: "1.10.17", + DataSource: &dbTypes.DataSource{ + ID: vulnerability.Julia, + Name: "Julia Ecosystem Security Advisories", + URL: "https://github.com/JuliaLang/SecurityAdvisories.jl", + }, + VendorIDs: []string{ + "JLSEC-2025-1", + }, + }, + }, + }, { name: "non-prefixed buckets", fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"}, diff --git a/pkg/detector/library/testdata/fixtures/data-source.yaml b/pkg/detector/library/testdata/fixtures/data-source.yaml index 087f960d2c..c61c24e882 100644 --- a/pkg/detector/library/testdata/fixtures/data-source.yaml +++ b/pkg/detector/library/testdata/fixtures/data-source.yaml @@ -30,3 +30,8 @@ ID: "ghsa" Name: "GitHub Security Advisory Go" URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + - key: "julia::Julia Ecosystem Security Advisories" + value: + ID: "julia" + Name: "Julia Ecosystem Security Advisories" + URL: "https://github.com/JuliaLang/SecurityAdvisories.jl" diff --git a/pkg/detector/library/testdata/fixtures/go.yaml b/pkg/detector/library/testdata/fixtures/go.yaml index 3d48dc9e9d..9e2a9d276a 100644 --- a/pkg/detector/library/testdata/fixtures/go.yaml +++ b/pkg/detector/library/testdata/fixtures/go.yaml @@ -8,3 +8,5 @@ - v1.13.2 VulnerableVersions: - "